Hacker News new | past | comments | ask | show | jobs | submit login

Was just about to recommend this. Supporting Wordpress everyday, I find this is the best way to combat the problem. Another option would be to add an additional password for the directory. For you apache guys,

  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/htpasswd/.htpasswd"
  Require valid-user



Good tip. The other two changes I recommend are:

1. Disable PHP execution in the uploads directory (hmm, wonder if it'd work if I disabled it in the entire wp-content folder?).

2. Run PHP as a different user to the file owner.

Both of these are to minimise damage when an extension is exploited by a hacker (if it hasn't happened to you yet, it will do) and to reduce the damage done to the server/site.


This is the approach I used to take also, before moving my site to Jekyll. You could also use fail2ban to prevent hammering of that URL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: